CEH v13 Domain 2.3 Practice Test 004

This practice test covers Domain 2 (Reconnaissance Techniques) Subdomain 3 (Enumeration) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link

CEH v13 Domain 2.3 Practice Test 004

10 questions • 8 single-answer, 2 multi-select

Question 1

Kevin is conducting an internal security assessment of an enterprise Windows environment and wants to extract host information, user accounts, and share names from machines on the same subnet. He uses a Windows command-line tool that queries a target IP address and returns the name table, the MAC address, and logged-on user details over UDP port 137. Which tool is Kevin most likely using?

A. nbtstat -A B. Nmap SMB Scripts C. enum4linux D. snmpwalk

Question 2

Jane is assessing a network infrastructure for a financial firm and discovers several network devices with SNMP enabled and configured with a well-known default community string. She successfully extracts routing tables, ARP caches, and device configurations by sending GetRequest PDUs to UDP port 161. Which community string most likely granted her read-only access to these devices?

A. private B. admin C. public D. community

Question 3

Select all that apply

Elijah is auditing an Active Directory environment at a healthcare organization and wants to extract user account information, organizational units, and group memberships without valid credentials. He discovers the directory service is accessible on port 389 and uses specialized tools to perform anonymous bind queries against it. Which two tools would Elijah most likely use for this purpose? (Choose two)

A. ldapsearch B. netdiscover C. Softerra LDAP Browser D. arp-scan E. nbtscan

Question 4

A red team operator is assessing a mail server at an e-commerce company and wants to determine which email accounts exist on the system without authentication. She connects to the server on port 25 using Telnet and issues a specific command that causes the server to confirm whether a supplied username or address is valid. Which SMTP command is she exploiting?

A. VRFY B. RCPT TO C. EXPN D. EHLO

Question 5

A security team is mapping the DNS infrastructure of a target organization and wants to retrieve all DNS records — including MX, A, AAAA, and TXT records — from a misconfigured name server. The team issues a query that requests a full replica of the DNS database by simulating the process used between authoritative name servers to stay synchronized. Which DNS enumeration technique are they performing?

A. DNS Zone Transfer B. Reverse DNS Lookup C. DNS Cache Snooping D. DNSSEC Walking

Question 6

A penetration tester at a financial services company is enumerating shares on a Windows server and wants to list accessible resources, user accounts, and password policy details by establishing null sessions over SMB. She runs a Linux-based tool that wraps rpcclient, smbclient, and net commands into a single automated workflow and displays results in a structured report. Which tool is she most likely using?

A. enum4linux B. nbtscan C. Hydra D. Nikto

Question 7

An enterprise security team has identified an NTP server on a client's internal network and wants to extract a list of hosts that have recently synchronized time with it as part of their asset discovery effort. The tester sends a specific NTP control message that causes the server to return data about the last 600 clients that queried it, inadvertently providing a detailed map of active network devices. Which NTP command is being exploited?

A. ntpdate B. monlist C. ntpq -p D. readvar

Question 8

Select all that apply

A penetration tester is auditing the VoIP infrastructure of a large call center and wants to identify active SIP extensions and enumerate user accounts on the PBX system without triggering rate-limiting defenses. She uses one tool that performs a targeted scan to map SIP-enabled devices on the network, and a second tool that brute-forces extension ranges over UDP to confirm which accounts are active. Which two tools would she most likely use? (Choose two)

A. svmap B. Nmap C. svwar D. Wireshark E. Metasploit

Question 9

A network security analyst is mapping the external routing infrastructure of a target organization and wants to identify upstream providers, advertised IP prefixes, and AS path relationships without sending any traffic directly to the target. She uses publicly available route servers and looking glass services to extract routing table entries and autonomous system information. Which enumeration technique is she performing?

A. BGP Route Enumeration B. OSPF Topology Discovery C. Passive DNS Analysis D. ICMP Tracerouting

Question 10

An enterprise security architect is hardening network services to prevent attackers from extracting sensitive information such as user lists, group memberships, and share names during a post-scanning enumeration phase. She focuses on a specific configuration change that prevents unauthenticated sessions from querying Windows systems and directory services without providing valid credentials. Which countermeasure directly mitigates both SMB null session enumeration and LDAP anonymous bind queries?

A. Enabling DNSSEC B. MAC Address Filtering C. Network Segmentation D. Disabling Anonymous Access

Related Posts

Leave a Comment Cancel Reply